User account being frequently locked out

Solution 1:

Rather than log-diving (as suggested by the other answer thus far), I prefer to use the Account Lockout Tools from Microsoft.

At the very least, it's immensely helpful in showing me which Domain Controller to go log-diving on.

(And yes, it does work on Server 2008 R2, even though it was originally developed for 2000 and 2003.)

Solution 2:

On the Active Directory Server the users uses to logon with you will find an entry in the Security Eventlog.

The Event ID might be 4771 (Kerberos Authentication Service)

It might look similar to the following entry:

Kerberos pre-authentication failed.

Account Information:
Security ID:        DOMAIN/USERACCOUNT
Account Name:       USERACCOUNT

Service Information:
Service Name:       krbtgt/DOMAIN

Network Information:
Client Address:     ::ffff: **172.17.xx.xx**
Client Port:        59596

Additional Information:
Ticket Options:     0x40810010
Failure Code:       0x18
Pre-Authentication Type:    2


Certificate Information:
Certificate Issuer Name:        
Certificate Serial Number:  
Certificate Thumbprint:     


Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

The Client Adress line will inform you from which client/server the logon attempt came from. (in this example 172.17.xx.xx )